A researcher discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs logs keystrokes, making it easier for malicious actors to steal potentially sensitive information without being detected.
Thorsten Schroeder of Swiss security firm Modzero noticed that the MicTray64.exe application, which is installed on many HP devices with the Conexant audio driver package and registered as a scheduled task in Windows, monitors all keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).
The problem is not that the keys pressed by the user are monitored. The problem, according to the expert, is that keystrokes are logged to a file in the Users/Public folder. Furthermore, keystrokes are passed on to the OutputDebugString debugging API, allowing a process to access the data via the MapViewOfFile function.
This leads to sensitive user data, including passwords, getting logged to easily accessible locations. A piece of malware could exploit the flaw to steal data without alerting antimalware products that look for suspicious behavior, the researcher warned.
“There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful,” Schroeder said in a blog post. “If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user.”
The researcher pointed out that an earlier version of the MicTray64 app released in December 2015 did not log keystrokes to a file. This functionality was introduced in version 1.0.0.46, released in October 2016. It’s unclear if any of the logged data is being sent back to Conexant servers.
Modzero said the vulnerability, tracked as CVE-2017-8360, appears to affect 28 HP laptops and tablet PCs, including EliteBook, ProBook, Elite X2 and ZBook models. The security firm believes devices from other vendors that use hardware and drivers from audio chip maker Conexant could be affected.
SecurityWeek has reached out to both HP and Conexant for comment and will update this article if they respond.
Until a fix becomes available, users who are concerned with the application’s behavior have been advised by Modzero to delete the MicTray64 executable from WindowsSystem32 and the MicTray.log log file from UsersPublic. One user has complained on Reddit that getting rid of the software, especially its registry keys, is not easy.
UPDATE. HP has provided the following statement: HP is committed to the security of its customers and we are aware of an issue on select HP PCs. We have identified a fix and will make it available to our customers.
